wp ipsentry status \u2014 show current configuration and threat counts\nwp ipsentry test-ip <ip> \u2014 run a live API check on any IP\nwp ipsentry whitelist add <ip> \u2014 add an IP or CIDR to the whitelist\nwp ipsentry whitelist remove <ip> \u2014 remove from whitelist\nwp ipsentry blacklist add <ip> \u2014 add an IP or CIDR to the blacklist\nwp ipsentry log --limit=20 \u2014 view recent threat log entries\n<\/code><\/pre>\n\nThird Party Services<\/h3>\n\n
This plugin connects to external services. By installing and activating this plugin you agree to the terms of each service you enable.<\/p>\n\n
Predax API<\/h4>\n\n
This plugin transmits visitor IP addresses to the Predax API<\/strong> (https:\/\/predax.io) for real-time threat detection and risk scoring.<\/p>\n\nWhat is sent:<\/strong> The visitor's IP address, and optionally their timezone (when timezone mismatch detection is enabled and visitor protection is active).\nWhen it is sent:<\/strong> On each page load, login attempt, registration, or comment submission, subject to your configured protection settings. Results are cached for 1 hour so repeat visits by the same IP do not generate additional API calls.\nWho operates the service:<\/strong> Predax (predax.io)\nTerms of Service:<\/strong> https:\/\/predax.io\/terms\nPrivacy Policy:<\/strong> https:\/\/predax.io\/privacy<\/p>\n\nCommunity Threat Network (opt-in, disabled by default)<\/h4>\n\n
The Community Threat Network is opt-in and disabled by default<\/strong>. No block or monitor events are sent to the community network unless you enable it yourself in Settings \u2192 Predax Security \u2192 Advanced<\/strong>.<\/p>\n\nWhen \u2014 and only when \u2014 you explicitly enable it, anonymised block and monitor events (containing: IP address, action taken, block reason, country code, and risk score) are sent to the Predax API at predax.io. This data is used to build a shared threat database that improves detection accuracy for all sites in the network. You can turn community reporting back off at any time in the same settings screen.<\/p>\n\n
Google reCAPTCHA<\/h4>\n\n
When reCAPTCHA v3 is enabled (Settings \u2192 Protection \u2192 reCAPTCHA), this plugin loads the reCAPTCHA script from google.com<\/strong> and sends form submission tokens to google.com\/recaptcha<\/strong> for verification. Google may collect data according to their privacy policy. You must provide your own reCAPTCHA site key and secret key.<\/p>\n\nGoogle Privacy Policy:<\/strong> https:\/\/policies.google.com\/privacy\nreCAPTCHA Terms:<\/strong> https:\/\/policies.google.com\/terms<\/p>\n\nBrowser Fingerprinting<\/h4>\n\n
When browser fingerprint scoring is enabled (Settings \u2192 Protection \u2192 Fingerprint Scoring), this plugin collects screen resolution, timezone, platform string, WebGL renderer, and plugin count from the visitor's browser on the login page. Fingerprint data is used locally to score bot likelihood and is stored in WordPress only while the login form is being submitted, then discarded. The visitor's timezone may be included in the API request to detect timezone mismatch when that feature is enabled.<\/p>\n\n
Cookies set by this plugin<\/h4>\n\n
All cookies set by this plugin are functional service cookies, not tracking cookies, and are only written when the relevant feature is explicitly enabled by the site administrator:<\/p>\n\n
\nipsentry_tz<\/code> \u2014 carries the visitor's browser timezone to the Predax API when timezone-mismatch detection is active. Written from ipsentry-tz.js<\/code> on the front-end. Expires after 24 hours. SameSite=Lax<\/code>. Only set when an API key is configured AND visitor or login protection is enabled.<\/li>\nips_jsc<\/code> \u2014 JavaScript challenge solve token. Written from js-challenge.js<\/code> when a visitor passes the challenge. Expires after 24 hours. SameSite=Lax<\/code>. Only set when the JavaScript Challenge feature is enabled.<\/li>\n<\/ul>\n\nNo tracking or advertising cookies are written by this plugin.<\/p>\n\n
By activating this plugin and entering an API key, you agree to the Predax Terms of Service and Privacy Policy. You are responsible for ensuring your use of visitor IP data complies with applicable privacy laws (GDPR, CCPA, etc.) and your own site's privacy policy.<\/p>\n\n\n
\n- Upload the
ipsentry-security<\/code> folder to \/wp-content\/plugins\/<\/code><\/li>\n- Activate the plugin through the Plugins<\/strong> menu in WordPress<\/li>\n
- The setup wizard will guide you through connecting your API key and choosing a protection level<\/li>\n
- Go to Predax Security<\/strong> in the admin sidebar to view the security dashboard<\/li>\n
- Click Settings<\/strong> to fine-tune protection types, risk thresholds, and advanced features<\/li>\n
- Visit the Threat Log<\/strong> page to verify the plugin is detecting threats<\/li>\n<\/ol>\n\n\n
\nWill this slow down my site?<\/h3><\/dt>\nNo. API results are cached in the WordPress database for 1 hour per IP. After the first check, returning visitors are served from cache with no API call. The cache TTL is configurable.<\/p><\/dd>\n
Does this block all VPN users?<\/h3><\/dt>\nOnly if you enable VPN blocking. By default the plugin is set to monitor<\/em> VPN traffic (log it but not block it). You control exactly which threat types trigger a block.<\/p><\/dd>\nWhat happens to blocked visitors?<\/h3><\/dt>\nBy default they see a standard WordPress error page with a 403 status code. You can enable the Custom Block Page<\/strong> option to show a branded page with your own message and a support link.<\/p><\/dd>\nDoes it work with Cloudflare?<\/h3><\/dt>\nYes. The plugin reads the CF-Connecting-IP<\/code> header automatically when Cloudflare is detected, so the real visitor IP is used rather than the Cloudflare proxy IP.<\/p><\/dd>\nIs the free plan enough for a small site?<\/h3><\/dt>\nFor most small sites, yes. The free plan provides 1,000 checks per day. With 1-hour caching, this covers approximately 1,000 unique visitors per day. Returning visitors within the hour use cached results and don't count against your quota.<\/p><\/dd>\n
Can I whitelist my own IP?<\/h3><\/dt>\nYes. Go to Settings \u2192 Predax Security \u2192 Whitelist \/ Blacklist<\/strong> and add your IP or CIDR range. Whitelisted IPs bypass all checks.<\/p><\/dd>\nDoes it protect the WooCommerce checkout?<\/h3><\/dt>\nThe base security plugin protects logins and registrations. For WooCommerce checkout protection (fraud scoring, country mismatch, order velocity, auto hold), use the companion Predax WooCommerce Fraud Guard<\/strong> plugin.<\/p><\/dd>\nWhat data is sent to the API?<\/h3><\/dt>\nThe visitor's IP address, and optionally their timezone when timezone mismatch detection is enabled. A temporary cookie is used to pass the timezone from the browser to the server. No page content or personal user data is transmitted. See the Third Party Services section below for full details.<\/p><\/dd>\n\n<\/dl>\n\n\n
1.9.4<\/h4>\n\n\n- Compatibility: tested with WordPress 7.0 and PHP 8.2. No deprecations or warnings under
WP_DEBUG<\/code>.<\/li>\n- Branding: setup wizard logo and wordmark refreshed to Predax (the \"(formerly IPSentry)\" suffix remains in the plugin name for clarity). API key field now shows the current
prdx_live_\u2026<\/code> placeholder. Existing ipsent_*<\/code> keys continue to authenticate normally.<\/li>\n- Fix: setup wizard OAuth flow no longer fails with a blank \"0\" page on the redirect back from predax.io. The callback action is now passed explicitly so the flow is robust against future predax.io frontend changes.<\/li>\n
- Internal: removed an unused legacy settings template that was shipping in the zip without being loaded anywhere.<\/li>\n<\/ul>\n\n
1.9.3<\/h4>\n\n\n- Branding: IPSentry has been rebranded to Predax<\/strong>. The plugin name, description, and admin labels now use the Predax name. The plugin slug, internal class names, text domain, settings, and your existing API key all remain unchanged \u2014 the upgrade is purely cosmetic and 100% backwards compatible.<\/li>\n
- Branding: external links from the admin pages now point to
predax.io<\/code> instead of ipsentry.io<\/code>. The legacy ipsentry.io<\/code> URL still redirects, so older bookmarks continue to work.<\/li>\n- Compatibility: legacy
ipsent_*<\/code> API keys created before the rebrand continue to authenticate normally. New keys generated at https:\/\/predax.io\/dashboard\/api-keys<\/code> start with prdx_<\/code>. Both work.<\/li>\n- No data changes. No setting resets. Nothing to reconfigure after the update.<\/li>\n<\/ul>\n\n
1.9.1<\/h4>\n\n\n- Privacy & compliance: Community Threat Network now has an explicit opt-in toggle in Settings \u2192 Advanced (disabled by default). Clarified documentation: no data is shared with the community network unless the site admin explicitly enables it.<\/li>\n
- Privacy & compliance: visitor protection and login protection are now off by default on fresh installs<\/strong>. They are enabled the moment a user completes the Setup Wizard and picks a protection preset (that click is the explicit opt-in). Existing sites upgrading from 1.9.0 are not affected \u2014
add_option()<\/code> respects existing values, so if you already had these on, they stay on.<\/li>\n- Security: reordered nonce verification before capability check on the test-connection AJAX endpoint.<\/li>\n
- Security: added IP\/CIDR validation on the blacklist and whitelist inputs \u2014 invalid entries are now silently dropped rather than stored.<\/li>\n
- Security: added
uninstall.php<\/code> that cleans up all plugin options and drops both custom tables when the plugin is deleted.<\/li>\n- Privacy: added
wp_add_privacy_policy_content<\/code> integration so administrators can pull suggested Privacy Policy text from Tools \u2192 Privacy.<\/li>\n- Code quality: extracted inline styles from the OAuth callback page, front-end footer badge, and comment honeypot into external stylesheets. Removed an inline
onclick<\/code> handler from the [ipsentry_lookup]<\/code> shortcode.<\/li>\n- Code quality: internationalised hard-coded English error messages in admin endpoints. Localised number formatting in event counts and threat badges.<\/li>\n<\/ul>\n\n
1.9.0<\/h4>\n\n\n- New: Security Dashboard \u2014 a dedicated dashboard page with real-time threat statistics, blocking activity chart, protection status overview, firewall summary table, top targeted paths, threat type breakdown, and country analysis.<\/li>\n
- Improved: Settings page redesigned with cleaner layout and better visual hierarchy.<\/li>\n
- Improved: Setup wizard redesigned with modern dark theme and clearer protection preset cards.<\/li>\n<\/ul>\n\n
1.8.0<\/h4>\n\n\n- New: HTTP Security Headers \u2014 enable HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy from the plugin settings. One toggle to harden your site's browser security.<\/li>\n
- New: Google reCAPTCHA v3 \u2014 invisible bot protection for login and registration forms. No puzzles for visitors.<\/li>\n
- New: Honeypot URL Traps \u2014 hidden decoy URLs that catch automated scanners instantly. Pre-configured with 8 common trap paths.<\/li>\n
- New: User-Agent Blocking \u2014 block known malicious bots, scanners, and scrapers by their User-Agent string. Ships with 20 pre-configured patterns.<\/li>\n
- New: 404 Threshold Blocking \u2014 automatically block IPs that trigger excessive 404 errors (scanner behavior). Configurable threshold and temporary or permanent blocking.<\/li>\n
- New: Known Bot Verification \u2014 verify that visitors claiming to be Googlebot, Bingbot, and other search engines are legitimate using reverse DNS + forward DNS confirmation. Catches fake bot impersonators.<\/li>\n
- New: JavaScript Challenge \u2014 invisible browser verification that blocks bots unable to execute JavaScript. Clean dark-themed challenge page.<\/li>\n
- New: Comment Spam Honeypot \u2014 hidden form field that catches spam bots filling in invisible fields. Zero false positives.<\/li>\n
- New: Browser Fingerprint Scoring \u2014 detects inconsistencies between User-Agent claims and actual browser capabilities on the login page. Logs suspicious fingerprints.<\/li>\n
- New: Request Pattern Analysis \u2014 identifies bot-like request timing patterns (machine-precise intervals vs human browsing).<\/li>\n
- New: WordPress Hardening \u2014 one-click toggles to disable XML-RPC, hide WordPress version, and disable file editing.<\/li>\n
- New: IP Lookup Shortcode [ipsentry_lookup] \u2014 embed an IP threat check widget on any page. Dark and light themes available.<\/li>\n
- New: Protected Badge Shortcode [ipsentry_badge] \u2014 display \"Protected by Predax \u2014 X threats blocked\" on your site.<\/li>\n<\/ul>\n\n
1.7.0<\/h4>\n\n\n- New: One-Click Connect \u2014 click \"Connect with Predax\" in the setup wizard to link your site instantly. No API key to copy or paste. Just log in (or create a free account), approve, and you're protected.<\/li>\n
- New: OAuth2 Authorization Code flow with PKCE for secure, industry-standard site authentication.<\/li>\n
- Improved: Setup wizard now defaults to one-click connect with manual API key entry as a fallback option.<\/li>\n<\/ul>\n\n
1.6.0<\/h4>\n\n\n- New: Setup Wizard \u2014 guided 3-step setup on first activation. Connect your API key, choose a protection level (Recommended, Strict, or Monitor Only), and you're done in under a minute.<\/li>\n
- New: Protection presets \u2014 one-click configuration for common security profiles. Re-run anytime from Settings > Developer > Run Setup Wizard.<\/li>\n<\/ul>\n\n
1.5.5<\/h4>\n\n\n- Improvement: All block messages now clearly state \"Predax has blocked your access\" \u2014 visitors always know who blocked them and why.<\/li>\n
- Improvement: VPN detection now uses ASN-based matching for major VPN providers (NordVPN, Mullvad, ProtonVPN, Surfshark, ExpressVPN, and more). Previously, some VPN IPs were only flagged as \"datacenter\" if not in the feed list.<\/li>\n<\/ul>\n\n
1.5.4<\/h4>\n\n\n- New: Reason-specific block pages \u2014 blocked visitors now see a clear, context-aware message explaining exactly why they were blocked (VPN detected, high-risk IP, Tor network, temporary lockout with countdown, etc.) instead of a generic error.<\/li>\n
- New: Custom block page is now ON by default for all new installs. No configuration needed \u2014 blocked visitors immediately see a branded, professional page.<\/li>\n
- New: Temporary lockout block message now shows the exact remaining wait time (e.g. \"Please wait 2 hours and 30 minutes before trying again\").<\/li>\n
- New: All login, registration, and comment blocks now show reason-specific messages appropriate to the context.<\/li>\n
- Improvement: Exponential backoff for clean IP lockouts \u2014 each repeated lockout doubles in duration (30min \u2192 60min \u2192 120min \u2192 ... \u2192 24hr max). Resets on successful login.<\/li>\n
- Improvement: Residential proxy and timezone mismatch signals now treated as risky (trigger permanent blacklist path, not temporary lockout).<\/li>\n<\/ul>\n\n
1.5.3<\/h4>\n\n\n- New: Risk-aware failed login protection \u2014 VPN\/proxy\/datacenter\/high-risk IPs are permanently blocked after 3 failed attempts. Clean\/residential IPs get a temporary lockout only (default 30 min), protecting legitimate users who forget their password. (If the Community Threat Network is enabled \u2014 it is off by default \u2014 these block events are also shared with the network.)<\/li>\n
- Improvement: Lockout thresholds and duration are configurable in Settings \u2192 Protection.<\/li>\n
- Fix: Test Connection button in Developer tab no longer submits the settings form, and now works reliably on slow\/local dev environments (LocalWP, etc.).<\/li>\n<\/ul>\n\n
1.5.2<\/h4>\n\n\n- Fix: VPN\/proxy users set to \"Monitor\" mode were incorrectly blocked by the risk threshold. The risk score on VPN\/proxy IPs is elevated by the VPN\/proxy flag itself \u2014 so if you've chosen to monitor (not block) those users, the threshold no longer overrides that decision.<\/li>\n<\/ul>\n\n
1.5.1<\/h4>\n\n\n- Improvement: Settings page redesigned with tabbed interface (Protection, Notifications, Advanced, Developer)<\/li>\n
- Improvement: Save and Test Connection buttons now shown inline next to the API key field<\/li>\n
- Improvement: Help tooltips added to every setting explaining what each option does<\/li>\n
- Improvement: Visitor screening enabled by default for new installs<\/li>\n
- Improvement: Custom block page now shows \"Protected by Predax\" footer branding<\/li>\n
- Improvement: Developer tools (Test IP, Import\/Export) moved to dedicated Developer tab<\/li>\n<\/ul>\n\n
1.5.0<\/h4>\n\n\n- New: Web Application Firewall \u2014 detects and blocks SQL injection, XSS, path traversal, file probes, known scanner tools, and command injection attempts<\/li>\n
- New: Community Threat Network (opt-in, off by default) \u2014 when you enable it, IP blocks propagate to other opted-in sites in the network via the Predax community score<\/li>\n
- New: WAF toggle in plugin settings (default on); independent of the risk score threshold<\/li>\n<\/ul>\n\n
1.4.0<\/h4>\n\n\n- New: Custom block page \u2014 show a branded 403 page with configurable title, message, and support link<\/li>\n
- New: XML-RPC protection \u2014 block high-risk IPs from XML-RPC calls<\/li>\n
- New: REST API protection \u2014 block high-risk IPs from WP REST API requests<\/li>\n
- New: Disposable email blocking \u2014 reject registrations using throwaway email services (30+ providers)<\/li>\n
- New: Settings import\/export \u2014 back up and restore configuration as a JSON file<\/li>\n
- New: WP-CLI commands \u2014 manage lists and run IP tests from the command line (
wp ipsentry<\/code>)<\/li>\n- New: Test IP override \u2014 set a fixed IP in settings for local\/staging testing<\/li>\n
- Fix: Registration protection now correctly flags disposable email domains<\/li>\n<\/ul>\n\n
1.3.0<\/h4>\n\n\n- New: General visitor protection \u2014 optionally check all site visitors (with transient caching)<\/li>\n
- New: Country and region blocking with full ISO 3166-1 alpha-2 support (249 countries)<\/li>\n
- New: Custom risk scoring weights \u2014 adjust how much each threat type contributes to the risk score<\/li>\n
- New: Telemetry pipeline \u2014 anonymised threat signals can feed community intelligence when the Community Threat Network is enabled (off by default)<\/li>\n
- Improvement: VPN\/proxy\/Tor options now have Off\/Monitor\/Block modes for finer control<\/li>\n
- Fix: Transient cache key collisions on multisite installs<\/li>\n<\/ul>\n\n
1.2.0<\/h4>\n\n\n- New: Event tracking log \u2014 view all API check events (not just blocks) for audit purposes<\/li>\n
- New: Admin dashboard widget with 7-day threat chart<\/li>\n
- New: CIDR range support for whitelist and blacklist entries<\/li>\n
- Improvement: API client now retries once on timeout before failing open<\/li>\n<\/ul>\n\n
1.1.0<\/h4>\n\n\n- New: Registration protection \u2014 block high-risk IPs from creating accounts<\/li>\n
- New: Comment protection \u2014 block high-risk IPs from posting comments<\/li>\n
- New: Configurable risk threshold (default 50)<\/li>\n
- New: CSV export for the threat log<\/li>\n
- Fix: Login protection now respects whitelist entries correctly<\/li>\n<\/ul>\n\n
1.0.0<\/h4>\n\n\n- Initial release<\/li>\n
- Login protection with VPN, proxy, and Tor detection<\/li>\n
- Whitelist\/blacklist management<\/li>\n
- Threat log<\/li>\n
- Dashboard widget<\/li>\n<\/ul>","raw_excerpt":"Real-time IP threat detection and blocking. Stop VPNs, proxies, Tor, bots, and high-risk IPs before they reach your site.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/pap-aw.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/296814","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pap-aw.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/pap-aw.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/pap-aw.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=296814"}],"author":[{"embeddable":true,"href":"https:\/\/pap-aw.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/ipsentry"}],"wp:attachment":[{"href":"https:\/\/pap-aw.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=296814"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/pap-aw.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=296814"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/pap-aw.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=296814"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/pap-aw.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=296814"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/pap-aw.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=296814"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/pap-aw.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=296814"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}